SQL Injection Vulnerability in Star7th ShowDoc Affecting Multiple Versions
CVE-2026-6982

5.3MEDIUM

Key Information:

Vendor

Star7th

Status
Showdoc
Vendor
CVE Published:
25 April 2026

What is CVE-2026-6982?

A security flaw in Star7th ShowDoc versions up to 2.10.10, 3.6.2, and 3.8.0 enables SQL injection via manipulation of the 'pages' argument in the API Page Sort Endpoint located in PageController.class.PHP. This vulnerability can be exploited remotely, allowing attackers to execute unauthorized SQL queries, potentially compromising the database. Users are advised to upgrade to version 3.8.1, as the vendor has indicated no plans to patch older versions.

Affected Version(s)

ShowDoc 2.10.0

ShowDoc 2.10.1

ShowDoc 2.10.2

References

https://vuldb.com/vuln/359525
vdb-entrytechnical-description
https://vuldb.com/vuln/359525/cti
signaturepermissions-required
https://vuldb.com/submit/795528
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

LIU Tingwei (VulDB User)
VulDB CNA Team
.